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Agenda:  Foiling  the  Bad  Guys 


A  quick  look  at  the  problem 
An  integrated,  deployable  solution  for: 

-  Monitoring  the  network  infrastructure 

-  Monitoring  hosts 

-  Conversation  monitoring  and  tracking 

-  The  truly  hardened  perimeter 

-  The  crypto  element 

-  User  behavior  analysis 

-  THE  BIG  PROBLEM  -  event  correlation  and  management 

.  New  tools  applied  to  an  old  problem 

What  comes  next.  Scaling  to  Gigabit  speeds. 


ODS 


Our  Subject -  Protection  of. 


ODS 


Winning  War  Strategy 


Put  up  attacks  that  the  enemy  can’t  defend 

Put  up  offensive  weapons  systems 

for  which  the  enemy  can’t  afford  the  defensive  system 

Strive  for  large  asymmetry:  1  cent  attack,  $100  defense 
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Natural 


Inteniiona 


intentional 


Outsider? 


ODS  Threats  to  Your  Network 


•fires 

•floods 

•  earthquakes 

•  hurricanes 
•extreme  heat 

•  extreme  cold 


@  tampering 
@  availability 
^destruction 


•malicious  hacker 
•spy 

^disgruntled  former 
employee 


. . 

•*'**1*®  ,.:S1 _ USsHr . 

•software  bugs 
•system  overloads 
@  hardware  failures 
•poorly  trained  admini§tfators 
•errors  and  accident: 

^uniformed  and/ot/djntrainecl  staff 

pJIBg 

EreMresr 

fif 

•  dishonest  or  disgruntled  employee 

•  outsource  employee  or  contract  employee 
@  partner,  vendor,  VAR 

Source:  National  Defense  University 


^access 

*abuse 


How  We  Got  Here 


I  ODS  Pear/  Harbor  Scenario 

NfTWORKS 


•  Who  won’t 

-  Those  most  likely  to  be  able  to 

-  Professional  corporate  spies 

-  Intelligence  organizations 

-  Hackers,  spies,  and  thieves  don’t  harm  the  Internet,  it  nukes  their 
sandbox 

•  Who  might: 

-  A  terrorist  group 

-  Fringe  psychopaths 

-  Journeyman  invaders 

-  Tactical  theater  enemies 
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Internal  Yes 
External  Yes 


..Jr 

0%  ODS  Covert  Cyber  Intelligence  against 
w5#  the  US  Infrastructure 


Attacks  against  sensitive  but  unclassified  systems  is: 

-  relatively  easy 

-  effective 

-  non-traceable 

-  deadly 

-  cheap  labor  pool 
ready  for  work 

-  bad  asymmetry  in  both 
$  and  expert  people 


ODS  The  smartest  penetrators 

N  lYMfOftKt 


.  Military  or  Intelligence  staff 
.  Mercenary  hackers  who  are  Warsaw  ex-intel 
.  Target  troop,  movement,  plans,  and  logistics  data 
.  Steal  advanced  research  and  planning  data 
.  Never  use  shared  tools 

.  Heavy  use  of  spoofing,  twin  sessions,  stolen  sessions 
.  More  likely  to  evade  Firewalls  and  IDS  systems 
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Motivations  and  methods 

-  Amateur  hackers  versus  strong,  well  funded  adversaries 

-  Attacks  versus  industrial  espionage 

-  Mischief  versus  strategic  data  collection 

-  Commonly  available  hacker  tools  versus  proprietary  tools 

-  The  bad  guys  we  easily  detect  versus  the  bad  guys  we  never 
see 

We  need  to  protect  against  all  threats,  inside  and  outside. 


An  Integrated  Infrastructure 

Defense 


A  Modular,  Scalable,  Layered, 
Coordinated  Multi-vendor  Defense 

Joe  Head 
head@ods.com 
972/301-3636 


Enterprise  Network  Security 


Network 

Traffic 

Inspection 


Computer 

Misuse 

Detection 


£J\  AQC  Extreme  Access . . . 

Infinite  Possibilities 


A  Field  Deployable , 
Modular ,  Scalable 
Multivendor  Security  Solution 
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N  I  T  W  O  ft  X 


SecureCom  Integrates  Protection 
At  All  Critical  Places 


Computer 
Misuse 
Detection 
&  Response 
Internal 


Internal 


Network 

Monitoring 

and 

Traffic 

Inspection 

Perimeter 


Internal 


Network 
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Server 


Interne 


SecureDetector 
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Frame 

Relay 


Internet 


UNSECU 


SCREENIN' 


ROUTERj 


DMZ 


NETWORK 


SecureCom;  Internet  Security 
Device 


SNMP 


SNMP 


Customer 

Site 


BUS 


Specifications: 

Use  Easy  to  Install 

Easy  to  Configure 
Easy  to  Support 
Easy  to  Troubleshoot 
LAN  Ethernet 

Chassis  Base  Unit 

N  + 1  Power 
Designed  for  NEBS 
Modules  How  Swappable 
BUS  lOOmbps  Switched 

Shared  Management 
Manage  SNMP  &  RMON 

Out  of  band,  encrypted 
Router  Any  Cisco,  COTS,  SW 
Firewall  FW 1 ,  LMF,  Raptor,  etc. 
Processor  Intel 
Sparc 

O/S  NT 

X.86 
Unix 

Audit  Remote  Log  to  CMDS 


Router 


O/S 


Audit 


SecureCom  Benefits 


Small  footprint:  easy  deployment 
DMZ  in  a  box,  LAN  in  a  can 

Any  Cisco  router,  any  Firewall,  any  IDS,  plus  all  NT, 
Solaris,  Linux,  or  HP/UX  application 

multiport  conditional  l-way  forwarding  to  any  IDS 


NITMIOftKI 


RealSecure  or  NetRanger 
Threat  Detection  &  Response 


Real-time  response  to 
terminate,  alert,  or  log 


WWW,  FTP,  Mail 


NETWORK 


Using  the  SecureCom  as  a  multi¬ 
segment  internal  attack  Detection 
System 


Internet 


Internet  Firewall 


Internet  Threat 


Intrusion  Detection 

Unobtrusive  network  security 
monitoring 

-  Monitors  data  centrally 

-  Only  one  detection  system  is 
needed  for  multiple  segments 

-  Cannot  be  detected 


nternaVThreat 


I?  f 
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SecureCom 


Delivers  real-time  security 
k  response 

■— 1  Alarms 

L[fV  -  Terminates,  Alerts,  or  Logs 

Reports*  Delivers  security  auditing 

-  Identifies,  Alerts,  &  Audits 
workgroups 


Modem  Threat 


WAN  Access 
•••-"  \ 
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Making  RealSecure  and  NetRanger 
More  Usable 


ODS  multiport  listening  mode  multiplies  the  number  of 
segments  monitorable  by  an  $8,000  or  $23,000  IDS.  These 
prices  are  way  to  expensive  to  monitor  every  T1  circuit 
with  a  separate  IDS  license.  Embedded  with  an  ODS 
SecureSwitch,  many  segments  may  be  protected  by  a 
single  IDS. 

CMDS  Enterprise  is  very  helpful  to  both  eliminate  false 
alarms  and  develop  expert  profiles  of  user  behavior. 

ODS  conversation  analysis  allows  the  consideration  of 
“non-attack”  traffic  into  the  mix,  this  is  essential  since 
both  RealSecure  and  NetRanger  are  reactive  only 
(template  based  detection). 


Keeping  track  of  who  is  talking 
to  who  is  a  good  idea 

-  Nature  of  alien  conversations 

.  Telnet,  Rlogin,  RPC,  etc. 

.  Non-web  applications 

-  Byte  Symmetry 

.  FTP  net  data  outflow 
.  Workstations  acting  as  servers 

-  Competitors 

-  Workstation  to  workstation 
activity 

.  Win  95  file  sharing  detection 
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IP  Conversation  Analysis 


Src  Domain  Dest  Domain 


El  ODS  (DAKN 
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00ODS 


Internal  Network  Monitoring 
with  SNMP/RMON 


I 


Querying  the  network 
to  find  security  holes 
and  vulnerable 
configurations 


WWW,  FTP,  Mail 


■:Ip; 

AlODS  AH  5  /SO  Network 

yr  Management  Categories 


•  Data-centric,  not  device-centric  management 

-  Delivers  network  inventory 

-  Collects  data  from  any  SNMP-managed  device 

-  Identifies  problems  by  category  regardless  of  device  brand,  type  or 

location 

-  Provides  standard  &  customizable  reporting  on  collected  data 

.  Security 
.  Configuration 
.  Fault 

.  Performance 
.  Accounting 


,,  ■  ^ 

CA  ODS  Elements  of  a  Layered  Defense 

NITWORKt  * 


•  External  Threats: 

-  Screening  Router 

-  Auditing  of  DMZ  assets:  Mail,  Web,  FTP 

-  Firewall  plus  IDS 

-  Authenticated  remote  users  -  VPN,  defense  against  cryptographic  attacks  and  traffic  analysis 

-  Firewall  and  VPN  leak  detection,  audit,  and  user  profiling 

-  Back  door  detection 

•  Internal  Threats: 

-  Internal  IDS 

-  Protection  against  clever  VPN  attacks:  spoof,  twin,  theft,  bandwidth,  replay,  cryptographic,  traffic 
analysis 

-  Network  Conversation  analysis 

-  Host  conversation  analysis 

-  Internal  authentication,  compartmentalization  * 

-  Using  existing,  rich  data  sources:  logs  from  routers,  switches,  hosts,  workstations 

-  Security  policy  audit  and  enforcement 

-  Statistical  behavior  analysis  for  habit  changes  from  norm 

-  Users  compared  to  group  bell  curves:  The  Ames  detector 
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Hardening  the  non-existent 
Perimeter 


rauDs 

fciiTwoRMs 


We  all  know  more  than  a  firewall 
is  necessary 

Deploy: 

-  Host  OS-based  monitoring 

-  Application-based  monitoring 

.  Web,  SMTP,  FTP,  Firewali 

-  Router  log  analysis 

-  Modem  back  door  protection 
IDS  on  WAN  and  RAS  links 

-  Two-factor  crypto 
authentication 

.  Strong  crypto  over  the  Internet 
.  Cross  compartment 
authentication 


X 


.Internet 
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flfrppC  Protect ,  Compress,  Eliminate 

Your  Expensive  WAN  Trunks 


Per  Packet:  Cryptographic  Authentication,  salt,  and  sequence  numbers 


The  Remote  User: 

CA  ODS  Per  Packet  A uthentication , 

nitwoiiki 

Ames/duress  Detection  too! 


c3l  Servers 


WWW ,  FTP,  Mail 


7n  f 


C3I  Segment 


Internet 

Access 


Public  Dial 


Crytocom  Client 
Remote  C3I  Access 


INiS'SI 


Crytocom  Client 
Roving  Logistics 


Most  “remote  access”  products  are  for  dial-up  and/or  are  media 
dependent. 

Most  of  their  security  features  are  limited  to  weak  authentication 
(of  the  user)  upon  first  part  of  connection  only. 

Very  few  support  “home  network”  configuration.  (Key  to  back  door 
detection.) 

Serious  security  flaws.  Lacking:  Salt  values,  hardware  key 
generation,  sequence  numbers  as  additional  salt  to  prevent  replay. 

Most  VPN  solutions  are  not  designed  for  resistance  against  serious 
enemies. 
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OHS  What  strengths  does  CryptoWatch 

MMH ■  M  m  J 

NITMIORKt  IICIVG  m 


1024  bit  RSA  signatures  of  SHA-1  or  MD5 
Idiot  proof  operation 

IDEA,  Triple  DES,  and  new  keys  every  60  seconds. 

Low  cost 

Works  across  any  WAN,  dial,  ISDN,  FR,  X.25,  ADSL ,... 
Works  on  any  LAN, 

Built  in  compression,  pre-encryption... 

Approvals  and  history  in  compartmentalized 
environments. 

Export  approval  for  strong  crypto  without  key  escrow,  key 
recovery,  or  the  need  for  prior  export  licenses  to 
customers  in  44  countries. 


ODS  Two  Halves  of  the  Security  Solution 


Network  Data 

.  Provides  a  Network  Perspective 
.  Cannot  identify  what  happened  - 
host  state  awareness  lacking 
.  Is  rendered  less  useful  when 
encrypted 

.  Is  essential  to  prove  any  case  - 
non-repudiation  requires  trace 


Host  Data 

•  Provides  exact  log  of  what 
happened 

•  Tracks  Who,  What  &  When 

•  Cannot  Identify  Where  a  User 
really  is 

•  Is  the  richest  source  of  data  and 
is  still  completely  useful  for 
monitoring  criminal  use  of 
encrypted  communications 


Integration  provides  a  common  view  of  suspicious 
traffic  &  corresponding  illegal  user  activity 
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Internal  Audit,  Data  Rollup,  then 
Proper  Security  Response 


Numerous  inputs  can  be  consolidated  into  a  single 
management  console 

-  Intrusion  Detection  Systems 


-  Firewalls 


-  Host  monitoring 

-  Database  access 

-  Application  logs 

-  Authentication 


-  Dial-up  access 

Response(s)  can  be  automated  based  on  enterprise 
correlation 


ODS 


Bringing  it  All  Together 
Enterprise  Security  Console 


How  to  deal  with  the  data 
issue: 

Megabytes  generated 
everyday 

Large  audit  reduction 
requirement 

“Normalizing”  the  data 
across  disparate  systems 

-  Log  files  -  OS,  Firewalls, 
applications,  RAS 

-  Network  infrastructure 

-  Conversations 

-  Behavioral  anomalies 


Constant  Change 


Asa  user  works,  CMDS  automatically  builds  a  histogram  of  the 
user’s  normal  activity,  then  alerts  on  any  change... 


NITWSRKI 


How  to  Solve  the  Data  Issue 


•  CMDS  correlates  individual 
alerts  and  data 

•  Use  relational  database  to 
store  the  data 

-  Event-based  schema 

-  Use  statistical  behavioral 
profiling 

•  OLAP  On-Line  Analytical 
Processing 

-  Allows  analysis  of  very  large 
data  sets  -  correlation  by: 

•  Date/Time 

•  Type  of  event 

•  Location  of  event 

•  Severity  of  event 

•  Trend  analysis 

•  Modeling  and  prediction 


The  Expert  Security  Solution 


•  Real  Security  Expertise  is  Rare 

-  Too  many  issues,  too  few  wizards 

-  Critical  mass  issues,  cost  sharing  of  wizards 

•  Phased  awareness 


ODS 


-  Initial  requests  for  2%  problems:  firewalls,  IDS,  VPN 

-  90%  Solutions: 

Solving  the  insider  problem,  fraud,  theft,  and  the  like. 

Layered  defenses  are  best. 

A  wealth  of  security  violation  data  lies  dormant  in  your  network, 
sometimes  collected,  but  never  methodically  analyzed  except  after  a 
major  embarrassment. 

A  Security  Expert  System  is  required  to  simplify  the  problem  and 
perform  the  necessary  data  reduction,  correlation,  and  isolation  of 
security  problems. 


lomet  ri€« 
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ODS  CMDStm  Enterprise 

WIT  WORMS 


•  CMDS  is  an  expert  system  that 
monitors  internal  events  in 
organizational  Network(s). 

•  Currently  monitors  NT  OS  Audit 
Logs: 

-  Impossible  to  do  job 
manually 

•  Configurable  to  monitor  events 
from: 

-  Critical  Applications 

-  SQL  DBMS’ 

-  Any  Pertinent  Data  Sources 

a  Pro-active  approach  to 
security  policy  generation 
and  management 


ODBC  SQL  &  DISPLAY 
System 


Alerts 


Active  Response 


Intrusion 

Alerts 


Increased 

Surveillance 


Reports  and  Graphs 


Event  Analysis 


Audit  Source  Files 

,  Compressed  &  Encrypted 


Server  Farm 


User  Workstations 
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O0QDS  Why  CMDS"  Enterprise?? 


External 
30% 


)%  Of 
sider 


Financial  Fraud 


.  p;  | ;  :s 
■  :  : 

Theft  of  Data 
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Problems  Security  Professionals 
Face  Every  Day 


Sifting  through  the  massive 
amount  of  data  quickly  to  find: 

-  Patterns, 

-  Anomalies  or 

-  Other  indications  of  intrusions  or 
attacks 


Application  Logs 
Network  Anomalies 


With  CMDStm  Enterprise,  security 
officer’s  will  be  able  to: 

-  focus  proactively  on  security 
policy  management  instead  of 
auditing  system  event  logs 


V.0S9 

0 

Directories 

Co 

i 

> 

<s> 
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wm 


Router  Logs 


.  Open  Architecture 

-  Supports  standard  SQL  databases 

-  Flexible  and  Extensible 


.  Highly  Scalable  Architecture 
.  User  Behavior  Fingerpriniting 
•  Expert  System  for  Security  Policy  monitoring 
.  Universal  Audit  Parsing  Interface 
.  Centralized  Audit  Management 


CMDSm  Enterprise 
Services 


CMDStm  Enterprise  was  designed  to  support  the  following 
services: 


.  Collection  of  operational  audit  from  hosts  and  event  data  from 
any  other  system  within  the  organization 

•  Encryption  and  reduction  of  operational  audit  when  transmitted 
across  the  network 

•  Reformatting  and  parsing  of  virtually  any  audit  source  for  event 
analysis 

.  Audit  data  log  filtering 

•  Expert  system  analysis  of  filtered  event  logs  for  signs  of  known 
intrusions  and  attacks 

•  Behavioral  and  statistical  profiling  of  definable  categories  for 
all  users 


CMDStm  Enterprise 
Services  (contv) 


SQL  Database  repository,  includes  management  and 
maintenance 

Severity  level  classification,  0-5 
Generation  of  warnings,  alerts 

Notification  through  pagers,  email,  Managers  of  Managers 
Command  and  Control  through  notification  scripting 
Ad  hoc  query,  filtering  an  sorting  of  event  data 
Reporting  and  Charting 

Centralized  audit  management,  includes  archival  and 
retrieval 


CMDStm  Enterprise’s  Integrated  statistical  profiling 

engine  dynamically  builds  a  fingerprint  of  user  behavior 
and  automatically  creates  a  baseline  of  application 
operations. 


Every  user  settles  into  an  usage 
pattern  over  time 

CMDStm  Enterprise  detects 
when  that  pattern  changes 

-  Accesses  to  servers 

-  Accesses  to  workstations 

-  File  Browsing 

-  Nighttime  activity 

-  Peer  group  analysis 


At 
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Expert  System 
Rules  Analysis 

Universal  Parser 
Sub-system 


CMDS  Manager(s) 


CMDS  Console 


Solaris,  ISS  RealSecure, 
Oracle,  Cisco  NetRangei 


NlTKIQfiKt 


CMDStm  Enterprise 
Architecture 


CMDS  Console 


CMDS  Console 


MODS  Audit  Analysis 


Monitored  NT 


Monitored  Solaris 


Monitored  5ESS 


Monitored  Router 


Monitored  IDS 


Monitored  Firewall 


Highlights: 

.  Multiple  agents  are  monitored  by  a  single 
CMDS  Manager  system 

•Expert  System  Rules  find  standard  problems 

•Activity  profiler  finds  exceptions  to  each 
person’s  historical  usage  patterns 

•A  criminal  may  fit  his  own  historical  pattern, 
but  will  stand  out  as  a  group  behavioral 
exception. 


GUI 
on  NT 


(  Provided  in  CMDS  4.0 

mm  Direct  reading  of  file  by  opening 

|  |  User  Developed 

Files  transferred  by  directory 

i^b  ODBC  Interface 

J- 1 3rd  Party  Vendor  Developed 

mm  CORBA  Interface 

^m  Secure  CORBA  using  SSL 

CO  QDS  Universal  Parser  Process 


Collec-i 

tor 


Trans¬ 

lator 


Sender f 


NetRanger 


RealSecure 


ASIMs 


Intelligence  Source 


Application  Logs 


Any  data  source 


CMDS  Manager  System 


Highlights: 

•Translator  on  the  client  side 
reduces  workload  of  the  CMDS 
Management  system 

•Collector  and  Translator  may  be 
combined  as  a  single  process 


| _ |  Provided  in  CMDS  4.0 

^B  Direct  reading  of  file  by  opening 

^b  Files  transferred  by  directory 

}  1  User  Developed 

^b  ODBC  Interface 

U  3rd  Party  Vendor  Developed 

mm  CORBA  Interface 

bb  Secure  CORBA  using  SSL 
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Event  Log 


(ta*|  Computer  Misuse  Detection  System 


Log  Data  Hel 


Unacknowledged  Event  Status 


5  Network 
'  •  5  West  Coast 
®  •  5  Products&Sales 

0  2  CARDIFF 
O  3  CARLSBAD 
•  5  DEL-MAR 
©4  ENCINITAS 
©2  LA_JOLLA 
O  0  SANTA-FE 
0  3  TORREY-PINES 
0  1  VISTA 


1999  -  01-  25  1 5:29.42.000  |3 
'  1999-01-25  1 5:29:42.000  ;3 
'  1 9 9 9 -  m-  2 5  15:29:42.000  j 3 
’  1 999-01-25  15:23:42.000  [3 
'  1999-01-25  15:29:42000  :3 
"  1999-01-X  1 5:29:42.000  [3 


Operating  System 

Event  Number 

erName 

B 

535 

passed 

Iher 

627  _ 

e  ath  e  r 

7 

1999-01-2515:29:36.000 

3 

8 

1999-01-2515:29:36.000 

3 

9 

1999-01-25  15:29:36.000 

3 

10 

1999-01- 25  1 5  29  36.000  J 

3 

11  ' 

1999-01-2515:29:36.000 

r3 

12 

1399  01-2515:29:36.000 

3 

13 

1999-01-  25  15129:30.000 

3 

14 

1999-01-25  15:29:30.000 

3 

.15 

1999-01-25  15:29:30.000 

3 

16 

1999-01-2515:29:30.000 

3 

17 

1999-01-25  15.29.30.000 

?3 

18  1 

99-01-25  15.29:30  000 

13 

19 

1999-01-2515:29:24.000  [ 

3 

20 

1999-01-2515:29:24.000  i 

3 

21 

1999-01-25  15:29:24.000  j 

3 

22 

1999  01  25  15:29:24.000  [ 

3 

23 

1999-01-2515:29:24.000 

3 

24 

1999  01-2515:29:24000 

3 

25 

1999-01-25  15:29:18.000 

3 

26 

1999-01-2515:29:18.000 

3 

27 

1999-01-25  15.29:18.000 

|3 

28 

1999-01-2515:29:18.000  j 

3 

29 

1999-01-2515:29:18.000 

passed 

passed 

passed! 

passed 

passed 

passed 

passed 

passed 

passed 

passed 

passed 

passed 

passed 

[passed 

/passed 

passed 

passed 

passed 

passed 

passed 

passed” 

passed 

passed 


passed 

passed 


[Heather 
[Heather 
j  Heather 
(George 
[George 
[George 
(George 
[George 
[George 
[Frank 
[Frank 
[Frank 
Frank 
Frank 
[Frank 
[Elizabeth 
Elizabeth 
Elizabeth 
Elizabeth. 
Elizabeth 
Elizabeth 
Danny 
Danny 
Danny 
[Danny 
ibanny 


Computer  Name 


TORREY_PINES 
TOR  R  E  Y_P  I N  E  S 
. TORREY_PINES 

torrey_pines 
TCRREY  PINES 

’  TORRE  Y_p1nES . 

TCRREY  PINES . 

TORREY  .PINED . 

TORREY_PINES 
TORREY_PINES 
""  TORREY_PINES”  ~ 

TORREY_PINES 

______ 

TORRFY_PINFS  . 

~  torreyZp'ines 
TORRFY_PINES 
TORREY_PINES_ 
IORRfcY_PINES 
’  TORREY_PINr.S 
TO  R  R  E  Y_P  I NE  S 

... 

TORREY_PINFR 
TORREY_PINES 
TORREY_PINES 
”  T OR R E Y_PIN ES 
~  TOR  RE  Y_P  INES 
fOF?BEY  PINES 
TORREY-PINES 
TORRE  Y-  PINES 


Profiles  i 


ere  are  161 00  records  in  the  result  set.  500  record(s)  loaded. 


CMDS  Charts 


CMDStm  Enterprise  Reports 


Alerts  and  Warnings  by  Machine  Name 

Alerts  and  Warnings  by  Event  Type 

Alerts  and  Warnings  by  User  Name 

Alerts  and  Warnings  by  Day 

Alerts  and  Warnings  by  Week 

Failed  Directory/Failed  Access  by  Machine  Name 


Failed  Logins  by  Machine  Name 


U.S.  Government 
US.  Federal  Agencies 
U.S.  Department  of  Defense 


:oreian  Countries 
European  Governments 
NATO 


U.S.  Commercial  Organizations 
Telecommunications 
Software  Design  Organizations 
Financial  Organizations 


Pacific  Rim  Countries 
Australian  Government 
Japanese  Government 


:  '  ?; 

Where  CMDS  Is  Used  Worldwide 


CMDS  in  Action 


N  ■  T  W  O  R  K 


CAST:  Alice:  -  Manager,  Computer  Security  Officer:  -  Security,  Kurt:  -  Disgruntled  employee,  Building  Security 


CMDS  constantly  monitors  all  activity  for  telltale  signs 
of  illegal  activity... 


CMDS  Alerts  on  the  Hacker  Attack  and  to  the  Privilege 
upgrade.  Security  obtains  detailed  analysis. 


CMDS  Alerts  on  Tagged  User  “Guest”.  Security  calls 
Building  Security  and  notifies  them  of  the  situation. 

Building  Security  goes  to  Alice’s  office  and  catch  Kurt  in 
the  act  of  stealing  personnel  information! 

Building  Security  contact  Security  of  the  arrest  and 
prepares  a  CMDS  report  of  the  event  trail  for 
prosecution. 


Time  Line 

1 1 :45  AM 

I - 

11:57  AM 

11:59  AM 

5:04  PM 


Alice  leaves  for  lunch,  but  forgets  to  lock  her 
workstation. 

Shortly  after  leaving  her  office,  Kurt  enters  Alice’s  office 
with  a  utility  that  will  give  him  root  access  to  Alice’s 
machine. 

Then  Kurt  runs  the  User  Manager  to  unlock  the  Guest 
account;  grants  Guest  Admin  privileges  with  a  new 
password;  removes  Admin  upgrade  trail  to  cover  his 
tracks  and  removes  floppy.  Kurt  returns  to  his  office. 


Alice  leaves  for  home. 


At  the  end  of  the  day  Alice  leaves  for  home,  only  to 
have  Kurt  enter  her  office  and  begin  downloading 
sensitive  data... 


>S  Acknowledge ... 
Remove  Filler/Sort 
Preferences... 

O  0  DEL_MAR 
O  3  ENCINITAS 

•  5  LA_JOLLA 
O  3  SANTA_FE 
O  1  SANTE_FE 

©  4  TORREY_PINES 

•  5  VISTA 


Operating  System 


Event  Number 


EventType 


User  Name  |  Computer  Name 


passed 


passed 


passed 


Vista 


passed 


LA_JOLLA 


After  logging  in 
Security  begins 
reviewing  events 
and  users  which 
show  signs  of 


ENCINITAS 


VISTA 


CARLSBAD 


LA_JOLLA 


TORREY_PINES 


ENCINITAS 


CARDIFF 


CARDIFF 


CAFtDIFF 


i  VISTA 


LA_JOLLA 

LA_JOLLA 

SANTE_FE 


passed 

passed 

passed 


Profiles  Charts 


lere  are  33  records  In  the  result  set.  33  record(s)  loaded 


DateLine:  Tuesday,  11:02  AM,  West  Coast  Product&Sales  Building 


11- 1 

Severity .  | 

1999-01-15  11:06:58.000  j! 

} 

1999-01-15  11:06:47.000  if 

1999-01-15  11:05:18.000  \i 

> 

1999-01-15  11:04:41.000  i< 

1 999-01  -1  5  11 :04:39  000  U 

1999-01-15  11:04:19.000  ‘ 

1999-01-15  11.02:55.000 

1999-01-15  11:01:32.000  R 

1999-01-15  11  00:24.000 

1999-01-1511:00:08.000  j: 

j 

1999-01-15  10:59:40.000 

1999-01-15  10:59:03.000  f: 

< 

1999-01-15  10:58:29.000  j: 

1999-01-15  10  57  15  000  U 

1999-01-15  10:57:12.000 

1999-01-15  10:55:26.000 

i 

1999-01-15  10:52:16.000 

{ 

1999-01-1510:49:33.000 

{ 

1999-01-1510:47:45.000 

| 

1999-01-1510:43:11.000 

j 

1999-01-15  10:42:08.000 

: 

1999-01-15  10:35:47.000 

1999-01-15  10:31:48.000 

| 

1999-01-15  10:31:48.000 

1999-01-15  1028:46.000 

! 

1999-01-15  10:28:46.000 

1999-01-1510:25:15.000 

j 

1999-01-1510:25:15.000  |1 
1 999-01-1 5  1 0:24:52  000  1l 

i.q  q  a.ni^i_fL_ijn_X'7_'i4_n  nn _ £ 

HBSS 

*\ 
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Fillet  Audit  Data 

IlfMg 


Fillet  Audit  Data 


Operating 

Choices 


Cancel 


Details 


Filter  Audit  Data 


DateLine:  Tuesday,  11:03  AM,  West  Coast  Product&Sales  Building 


User  Name:  Steve 


Computer  Name:  CARDIFF 


Event  Analysis 


|[S,eci4rlMsjalefteci 
|  on  unusual  traffic 
^patterns  as  well  as 


acker  co 


Close 


Previous 


Data  ^Profiles 


"here  are  1 2  records  in  the  result  se*  1 2  record(s)  loaded. 


DateLine:  Tuesday,  11:04  AM,  West  Coast  Product&Sales  Building 


fef!  Compute!  Misuse  Detection  System  -  P  —  in 


The  audit  log  was  cleared 
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E9E3E3 


itwtj Computer  Misuse  [Tgjp^tinn  Computer  Misuse  Detection  System 


jj£ej  Computer  Mi: 


IE1BI 


jjWtj Acknowledge  Events 


Event  Log 


I  '  UnacKnowte 

16  3  Network 
|  ®  0  3  My  Dor 
®  03  My 


JJO  Q  Network 


User  Name 


Computer  Name 


Severity  I  Operatina  System 


Event  Type 


•  O  0  My  Domain 
•  O  0  MyWorkgroup 
O  0  CARDIFF 
O  0  CARLSBAD 
O  0  DEL_MAR 
O  0  ENCINITAS 
O  0  LAJOLLA 
O  0  SANTA_FE 
O  0  SANTE_FE 
O  0  TORREY_PINES 
O  0  VISTA 


LAJOLLA 


CARLSBAD 


LAJOLLA 


|TORREY_PINES 


IVISTA 


IVISTA 


TORREY_PINES 


IVISTA 


TORREY_PINES 


SANTA_F£ 


I  CARLSBAD 


LAJOLLA 


Cancel 


CARLSBAD 


ENCINITAS 


CARLSBAD 


LAJOLLA 


TORREY_PINES 


ENCINITAS 


I  CARDIFF 


CARDIFF 


CARDIFF 


1999-01-1510:28:46.000  5 


cmds 


1999-01-15  10:28:46.000  |1 


1999-01-15 10:25:13.000  j5 


LAJOLLA 


cmds 


10021 


1999-01-1510:25:15.000  |l 


LAJOLLA 


11999-01-15  10:24:52.000  jl 


SANTE_FE 


re(ar©33  recordsin  theresuttset  :3Trecord(s^loaded|j  Hit  he 


lereare  1 2 records i  r  theresullset.  1 2  record<s) loaded. 


DateLine:  Tuesday,  11:09  AM,  West  Coast  Product&Sales  Building 


jfcft  Computer  Misuse  Detection  System 


Event 


•  5  Network 
®  •  5  West  Coast 

®  •  5  Product&Sales 
0  1  CARDIFF 
0  4  CARLSBAD 
O  0  DEL_MAR 
O  3  ENCINITAS 

ym  5  LA_JOLLA 
O  3  SANTA_FE 
0  1  SANTE_FE 
O  4  TORREY_PINES 
©  4  VISTA 


At  thesecurity 
.  center,  jCMDSi 

1  ||||  Warn  '  *  i  l  \  ,  '  %  "a  Wy'f'.xf  if  )  ,  y 

alerts  on  susplcic 
events  for  Alice’ 
computer... 


Profiles  Charts 


iartlng  Column  Completed. 


jp— - 

.  • 

Severity 

|  Operating  System 

|  Event  Number 

EventType 

User  Name 

|  Computer  Name 

Ev 

1  41 

1999-01-15  11:51:31.000 

1 

int 

;560 

passed 

Kim 

(CARLSBAD 

ob)e 

1  42 

1999-01-15  11:51:52.000 

1 

jnt 

1560 

passed 

Mike 

jsANTE_FE 

obje 

1  43 

1999-01-15  1 1:52:15  000 

1 

jnt 

|560 

passed 

Alice 

lLAJOLLA 

objd 

!  44 

1999-01-1511:52:46.000 

1 

jnt 

j  560 

passed 

Dave 

IVISTA 

obje 

j  45 

1999-01-15  11:52:48.000 

1 

jnt 

j  560 

passed 

Steve 

(CARDIFF 

obit 

46 

1999-01-15  11:53:17.000 

1 

jnt 

j560 

passed 

Steve 

•CARDIFF 

able 

I  47 

1999-01-15  11:53:48.000 

2 

jnt 

|633 

passed 

Cindy 

•  ENCINITAS 

acc< 

1  48 

1999-01-15  11:54:11.000 

2 

jnt 

i512 

passed 

Tom 

!torrey_pines 

syst 

|  49 

1999-01-15  11  54:1 5.000 

2 

int 

1634 

passed 

Alice 

:la_jolla 

acc( 

j  50 

1999-01-15  11:54:33.000 

2 

jnt 

1513 

passed 

Kim 

i CARLSBAD 

syst 

ijfel  ' 

1999-01-15  11:54:36.000 

2 

jnt 

]640 

passed 

Dave 

j  VISTA 

acc( 

■  : 

1999-01-15  11:55:16.000 

3 

jnt 

!?  . 

passed 

Cindy 

‘■ENCINITAS 

unki 

j|fl§3 

1999-01-15  11  55:22.000 

3 

nt 

1 535 

passed 

Kim 

•CARLSBAD 

logc 

t  :■ 

1999-01-15  11:55:25.000 

5 

icmds 

(10020 

passed 

Alice 

;LA_JOLLA 

aler 

1999-01-15  11:55:25.000 

2 

jnt 

1592 

passed 

Alice 

\  LA_JOLLA 

dets 

.  *  r-.'  g 

1999-01-15  11:55:31.000 

4 

jcmds 

10016 

passed 

Alice 

Jla_jolla 

wari 

1999-01-15  11:55:31.000 

2 

nt 

[632 

passed 

Alice 

1  LA_JOLLA 

acct 

■Pv 

1999-01-15  11:56  29  000 

3 

nt 

{535 

passed 

Dave 

(VISTA 

logo 

..9 

1999-01-15  11:57:14.000 

3 

nt 

625 

passed 

Kim 

j CARLS BAD 

accc 

J  fjo 

1999-01-15  1  1:57:31.000 

3 

nt 

1625 

passed 

Dave 

[VISTA 

accc 

’  f  iT~ 

1999-01-15  11:57:38.000 

3 

jnt 

625 

passed 

Mike 

|SANTA_FE 

accc 

frei 

1999-01-15  11:57:44.000 

4 

Int 

1608 

passed 

Tom 

:TORREY_PINES 

poll^ 

63 

1999-01-1511:57:52000 

4 

jnt 

608 

passed 

Dave 

•VISTA 

polk 

1  84 

1999-01-1511:58:15.000 

4 

jnt 

[608 

passed 

Tom 

;TORREY_PINES 

poiil 

j  65 

1999-01-15  11.58:19.000 

4 

jnt 

643 

passed 

Dave 

sVISTA 

accc 

1  66: 

1999-01-15  11:58:39.000 

4 

jnt 

:643 

passed 

Dave 

(VISTA 

acct 

67 

1999-01-15  11:59:41  000 

4 

jnt 

•643 

passed 

Tom 

lTORREY_PINES 

acd 

1  88 

1 999-01-1 5  1 1 :59:48.000 

4 

int 

1643 

!  69 

1999-01-15  11:59:57,000 

4 

jnt 

1608 

passed 

Kim 

1 CARLSBAD 

polii 

XQCW^1^6LJ-l_6£L5^j(lQn_ 

iA— : - - _ll..a.  -JQLL.A - 

_a  cxJ 
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DateLine:  Tuesday,  12:02  PM,  West  Coast  Product&Sales  Building 


Event  Details  -  Row  54 


Event  Details  -  Row  5G 


lima  Generated:  1999-01  -1511 :5 


User  Name:  Alice 


Time  Generated:  1 999-01-1 5  11:55:31.000 


]|i  Computer;  Name:  LA^JOLLA 


Severity;  4 


Operating  System:  emds 


:  Evetirt  category:'  warning 


Operating  System:  cmds 


Evens  Number:  1 0020 


Event  Source  Log:  analyzer 


Event  Number:  10016 


Event  Type;  pass 


Resolution:  3 


Event  Type:  passed 


Elvent  Analysis 


Event  Analysis 


| CMDS  has  detected  the  sechole  ex 


Domain 


CMDS  has  detected  a  change  to  the  Administrators 
Administrators, or  Power  Users  groups. 


to  Adm 
occuri 


pqp|rM 

uickly  determine 
that  a  hacker 
program  was 
executed... 


Previous 


Close 


62 


DateLine:  Tuesday,  12:04  PM,  West  Coast  Product&Sales  Building 


uct&Sales  Buildin 


Mpl 

m 

1 

H? 

^  jlgg 

nBgilSSH 

Si’lffl® 

IBMH 

h 

JlpljH' 

• ' 

}  •'  > 

'■■  •; 

NETWORKS 

jBpftj Computer  Misuse  Detection  System 


Event  Log 


Unacknowledged  Evert  Status 


•  5  Network 

•  #  5  West  Coast 

•  •  5  Product&Sales 
©  1  CARDIFF 
O  3  CARLSBAD 
O  0  DEL_MAR 
O  3  ENCINITAS 
•  5  LA_JOLLA 
O  3  SANTA_FE 
jSS  ©  1  SANTE_FE 
,  •  I  |J  ©  4  TORREY_PINES 
1 Wm  O  4  VISTA 


Severity  |  Operating  System  |  Event  Number  j  EventType  |  UserNatne 
int  593  passed  i  Nicole 


Computer  Name 
DEL_MAR 


passed 


Steve 


CARDIFF 


Dave 


;  VISTA 


CARLSBAD 


|  VISTA 


passed 


CARLSBAD 


1999-01-15  05:51:52  000  1 


passed 


SANTE_FE 


LA_JOLLA 


VISTA 


CARDIFF 


Steve 


CARDIFF 


ENCINJTAS 

T  0  R  RE  Y_PIN  E  S 

LA_JOLLA 


passed 


I  CARLSBAD 
VISTA 


1999-01-15  05:54.36.000  2 


iCindy 


ENCINITAS 


560 

•535 . 

T  0006 
!528‘  " 
560  . 


passed 

passed 

passed 

passed 

passed 


Guest 

Kim 

Guest 

Guest 

Guest 


LA_JOLLA 

CARLSBAD 

LA_JOLLA 

LAJOLLA 

LA_JOLLA 


cmds 


passed 


iVISTA 


CARLSBAD 


passed 


Guest 


LAJOLLA 


Guest 


LA_JOLLA 


passed  jGuest 


LA_J0LLA 


passed 


VISTA 


lotting  Column  Completed 


DateLine:  Tuesday,  5:38  PM,  West  Coast  Product&Sales  Building 


Event  Details  -  Row  22 


time  Generated;  199 


Severity;  § 


Operating  System;  crn’i 


Event  Number: .  ■  103 


Event;  Type:  passed 


Event  Analysis 


A  non- inter active  service  account  was  logged  into! 


nj  f  :Secuffit®  Dtairis! 

further  details  tha 
fl  an  Unauthorized 
'  User  has  logged  o 
;  Alice’s  computer.. 


Close 


Previous 


DateLine:  Tuesday,  5:39  PM,  West  Coast  Product&Sales  Building 


f-i:: :  ■ 


•V\V ■"'• 

BH 

hi 

-t  -  * 

ljplp; 

lit  ft 

.  :  ' 

a  tPp 

1  '• .  .: 

; 

MM 

Hi 

fii 

np; 

Pi  5 :! 

gjjj  " 
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iis-taJ 

mm 
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ODS  Benefits  of  CMOS »  Enterprise 

N1TWQRXS  * 


Event  information  can  be  collected  from  disparate 
systems  into  a  common  platform 


Event  data  can  be  managed  at  its  location  or  centrally 


Detection  and  monitoring  of  unauthorized  access  by 
employees,  including  system  administration  personnel 


ODS 


Benefits  of  CMDStm  Enterprise 
(cont’d) 


Security  policy  monitoring  on  a  7X24  basis 


Profiles  of  user(s)  dynamically  created  to  identify  account 
hi-jacking,  -  Last  Line  of  Defense 


Archival  &  Retrieval  of  Raw  Audit  Data  aids  in  the 
Contingency  Planning  Process 


Air  Force  and  NATO  deployments  of  SecureCom 

Integration  of  routers,  firewalls,  VPN,  IDS,  hosts,  and  a 
conversation  aware  infrastructure  within  the  CMDS  expert 
system. 


Questions  on  SecureCom  and  CMDS: 

Scaling  Up  to  necessary  Speeds,  the  McKinley  engine 
project. 


Questions. 


ODS 

NETWORKS 


SecureCom  Security  Platform, 
Alias:  DMZ  in  a  box,  LAN  in  a  can... 


Network  Connectivity 
Pentium  PC/Sun  /  HP  Modules 
ODS  Security  Software 

Third  Party  Software,  multi-port  probe  firmware. 


Easy  To 
Install 
and 

Manage 


Lean, 
Light,  & 
Lethal 


Authentication 
I  &  Encryption 
!  VPN 


irewallsfi 


\  (Raptor) 
% Firewall  1) 
(Lucent) 
(Gauntlet) 


(Crypto 

Watch) 


(Flexible) 


Infrastructure 

Network 

and 

&  Host 

Traffic 

Based  IDS 

Monitoring 

(RealSecure) 

(NetRanger) 

(ProtoCop) 

(CMDS)  ;{ 
i  (NFR) 

Itbluitivendor! 

Profiling 

& 

Correlation 
"  (CMDS 

Enterprise) 


ODS  Current  Speed  Limits  of  Security 

NETWORKS  * 


Security  management  requires  Layers  3, 4,  and  above 

Speed  Limits  of  prior  technology  -  Existing  IDS  and 
Firewall  Limits 

-  ASICs  and  processor  combinations  limited  to  less  than  100 
Mb/s 

How  to  manage  and  secure  at  Gigabit  and  Terabit  LAN 
speeds? 

-  Can’t  drink  from  a  fire  hose  without  specialized  hardware 

-  Analysis  at  1  Gb/s  and  above 

-  ODS  String  Search  Engine  as  a  firewall,  IDS,  profiler  on 
steroids 
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Typical  Challenges  in  Today’s 
Environment 


Wr ^  -burnt  -*"18811 


Server  &  Users 

-  Fast  Ethernet 

-  OC3/OC12 

-  Gig  Ethernet  or  Fiber 
Channel 

-  Hippi  800 

-  GSN  / 10  Gig  Ethernet 
Over-subscription:  where? 
Trunking 

Where  billing  and  security? 


.  Hardware  Joshua  Tree 
.  3  Year  Development 
.  Full  7  Layer  Decoding 

.  First  Prototype:  2.2  Mpps  with  1  Million  Strings 
.  Production  ASIC:  12  Mpps  with  1+  Million  Strings 
.  Pattern  matching  scalable  to  fit  any  requirement 
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ODS 

NITWORItt 


Applications  of  String  Search 
Engine 


1  Gb/s  conversation  analysis  for  OC3/12,  GE,  Hippi  800 

OC12  and  GE  Encryption  box 

GSN  or  10  Gigabit  Probe 

Hardware  CERT  Attack  Filter 

Custom  Probes  for  specialized  data  selection  and 
collection 


Gigabit  Firewall  that  also  provides  full  IDS,  billing,  and 
upper  layer  decodes  to  feed  user  profile  analysis  for  habit 
monitoring  by  CMDS. 


Hardware  Components 

-  Hardware  Interface,  memory,  packet  engine,  &  CPU 

-  Hardware  can  be  integrated  to  other  processes 

.  RMON,  Firewall,  Encryption,  Authentication, Routing,  Switching 

Simple  Program  Language 

-  Tells  engine  where  to  look  in  packet;  bit(s)/bytes  or  range 

-  Recognizes  patterns  found  in  packet  and  matches  to  programmed 
signatures 

.  Conversation  pairs,  packet  data,  protocol  analysis,  data  descriptions 

Provides  Descriptors 

-  Allows  commands  to  be  sent  when  matches  found 

-  Match  handle  is  a  24  bit  number 

-  Internal  counters  can  accumulate  statistics  of  each  match 


A||C  Flexible  Pattern  Recognition  & 

Response 


I 


Pattern  Recognition 

-  Simple  single  patterns 
bit  or  byte 

-  Complex  patterns  or 
ranges 

-  Nested  patterns 
Pattern  Response 

-  Send  descriptor  to 


Log 

Alert 

Launch  process 


-  Look  for  next  pattern 


.  High  Speed  Packet  Filtering 

-  Packet  filtering  rate  of  700,000  to  5  million  packets  per 
second 

.  Numerous  Signatures  can  be  Programmed 

-  From  100,000  to  1  million  signatures 

-  Simple,  complex  or  nested  signatures 
.  Looks  Anywhere  in  the  Packet 

-  Can  be  programmed  to  look  for  bit/byte  patterns  in  packet 
header,  payload,  or,  over  multiple  packets 
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HSPE  Architecture 
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.  Provides  Wire-Speed  Filtering 

-  Reviews  packets  at  over  Gigabit  speeds 

-  Finds  matches  in  packets  with  pre-defined  signatures 

-  When  matches  found  sends  “commands”  to  other 
processes  based  on  pre-set  filter  criteria 

.  Can  be  Attached  in  Numerous  Ways 

-  As  a  faster  Firewall,  IDS,  or  user  profiler 

-  In  between  “Up-links”  between  switches  or  routers 

-  At  connection  points  LAN  to  LAN,  LAN  to  WAN,  WAN  to 
WAN 

.  Only  hope  above  100  Mb/s.  Runs  currently  at  2  Gb/s, 
scales  to  1 0  Gb/s  links. 


81 


Contact  Information 


Dave  Steinman  -  DC 

-  DC  Special  Programs  Manager 

-  dsteinman@ods.com 

-  7031506-1  167 

Mike  Celiceo  -  San  Diego 

-  CMDS  Product  Specialist 

-  mceliceo@ods.com 

-  (61 9)  2684236  ext.  2232 

Joe  Head  -  Dallas 

-  Executive  VP 

-  head  @ods.com 

-  972/301-3636 


